[PATCHESv2] Add vfs_admin vfs module
Ira Cooper
ira at wakeful.net
Tue Oct 6 16:57:13 UTC 2015
Why aren't we just using our security contexts to do the right thing here?
That seems simple and non-racy. :-)
Thanks,
-Ira
On Tue, Oct 6, 2015 at 12:13 PM, Jeremy Allison <jra at samba.org> wrote:
> On Tue, Oct 06, 2015 at 08:41:12AM -0700, Jeremy Allison wrote:
> > On Tue, Oct 06, 2015 at 08:36:34AM -0700, Jeremy Allison wrote:
> > >
> > > For directories, the only "safe" POSIX way to do this as
> > > root is :
> > >
> > > a). mkdir(name)
> > > b). fd = open(name, O_RDONLY);
> > > c). fstat(fd);
> > > d). Ensure owner/primary group match current POSIX
> > > creds.
> > > e). fchown(fd, newcreds);
> > >
> > > That's not race-free, but at least it can detect
> > > any races.
> >
> > Correction ! That should be:
> >
> > a). mkdir(name)
> > a1). chdir(name);
> > b). fd = open(".", O_RDONLY);
> > c). fstat(fd);
> > d). Ensure owner/primary group match current POSIX
> > creds.
> > e). fchown(fd, newcreds);
> >
> > This stuff is tricky :-).
>
> And the above is *also* wrong :-).
>
> The correct (*) way is :
>
> parent_name = get_parent_name(name);
> final_component = get_final_component(name);
> chdir(parent_name);
> check_name = realpath(".");
> ensure check_name == parent_name;
> mkdir(final_component);
> chdir(final_component);
> check_name = realpath(".");
> ensure check_name == name;
> fd = open(".", O_RDONLY);
> fstat(fd);
> ensure stat owner matches current posix creds.
> fchown(fd, new_creds);
>
> (*) until I or someone else spots another flaw :-).
>
> This of course won't work with pathnames
> deliberatly containing symlinks, but is
> as safe as I can think of on the spur-of
> the moment.
>
>
More information about the samba-technical
mailing list